1 SANS Technology Institute - Candidate for Master of Science Degree 1 Animal Farm Protection From...
-
Upload
matthew-oconnor -
Category
Documents
-
view
214 -
download
0
Transcript of 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Animal Farm Protection From...
![Page 1: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Animal Farm Protection From Client-side Attacks by Rendering Content With Python.](https://reader036.fdocuments.net/reader036/viewer/2022081519/56649e1b5503460f94b0a0aa/html5/thumbnails/1.jpg)
1SANS Technology Institute - Candidate for Master of Science Degree 1
Animal FarmProtection From Client-side Attacks by Rendering Content
With Python and Squid
TJ O’ConnorMarch 2011
GIAC (GCIH Gold, GSEC Gold, GCIA Gold, GCFA Gold, GREM, GPEN, GWAPT, GCFE, GCFW)
![Page 2: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Animal Farm Protection From Client-side Attacks by Rendering Content With Python.](https://reader036.fdocuments.net/reader036/viewer/2022081519/56649e1b5503460f94b0a0aa/html5/thumbnails/2.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 2
Objective
• Background• The Threat• Mitigating The Threat• PDF Exploits• Office Exploits• Internet Exploits• Results• Conclusion
![Page 3: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Animal Farm Protection From Client-side Attacks by Rendering Content With Python.](https://reader036.fdocuments.net/reader036/viewer/2022081519/56649e1b5503460f94b0a0aa/html5/thumbnails/3.jpg)
Background
• Annual Cyber Defense Exercise • Undergraduates defend against a highly skilled NSA red
team• Last year introduced client side attacks as an attack
vector• Unsophisticated users clicking on links for four straight
days• How do you defend?
SANS Technology Institute - Candidate for Master of Science Degree 3
![Page 4: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Animal Farm Protection From Client-side Attacks by Rendering Content With Python.](https://reader036.fdocuments.net/reader036/viewer/2022081519/56649e1b5503460f94b0a0aa/html5/thumbnails/4.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 4
The Threat
• January 2010 breach into Adobe, Google and 34 companies• Compromised via client side vulnerability in Internet
Explorer• Targeted software configuration management servers• Client side attacks:
– Can evade your antivirus– Run under the context of your app– Target the weakest link, your users– Prove an excellent vector to pivot
![Page 5: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Animal Farm Protection From Client-side Attacks by Rendering Content With Python.](https://reader036.fdocuments.net/reader036/viewer/2022081519/56649e1b5503460f94b0a0aa/html5/thumbnails/5.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 5
Mitigating The Threat
• When the user opens the content, it is too late• The exploit can cause unrecoverable damage
immediately• Instead, render the content benign when the user
requests it• A transparent proxy can render content safe • Proxy can run content through a series of external
scripts
![Page 6: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Animal Farm Protection From Client-side Attacks by Rendering Content With Python.](https://reader036.fdocuments.net/reader036/viewer/2022081519/56649e1b5503460f94b0a0aa/html5/thumbnails/6.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 6
Squid
• Extremely fast and efficient proxy server and web cache daemon
• Erite rules to redirect traffic transparently using redirect_program
• Redirect it to a series of scripts based on file type• Redirect user to safely rendered content
while True:cnt = cnt+1,line = sys.stdin.readline().strip()fileExt = (line.split('.')[-1]).upper()if ("PDF" == fileExt): new_url = safePdf(line,cnt)elif ("DOC" == fileExt): new_url = safeDoc(line,cnt)elif ("XLS" == fileExt): new_url = safeXls(line,cnt)elif ("PPT" == fileExt): new_url = safePpt(line,cnt)elif ("EXE" == fileExt): new_url = safeExe(line,cnt)elif ("HTM" in fileExt): new_url = safeHtm(line)else: new_url = line+"\n"
sys.stdout.write(new_url)
while True:cnt = cnt+1,line = sys.stdin.readline().strip()fileExt = (line.split('.')[-1]).upper()if ("PDF" == fileExt): new_url = safePdf(line,cnt)elif ("DOC" == fileExt): new_url = safeDoc(line,cnt)elif ("XLS" == fileExt): new_url = safeXls(line,cnt)elif ("PPT" == fileExt): new_url = safePpt(line,cnt)elif ("EXE" == fileExt): new_url = safeExe(line,cnt)elif ("HTM" in fileExt): new_url = safeHtm(line)else: new_url = line+"\n"
sys.stdout.write(new_url)
![Page 7: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Animal Farm Protection From Client-side Attacks by Rendering Content With Python.](https://reader036.fdocuments.net/reader036/viewer/2022081519/56649e1b5503460f94b0a0aa/html5/thumbnails/7.jpg)
Squid Redirection
SANS Technology Institute - Candidate for Master of Science Degree 7
GET http://maliciouspdfs.com/bad.pdf
![Page 8: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Animal Farm Protection From Client-side Attacks by Rendering Content With Python.](https://reader036.fdocuments.net/reader036/viewer/2022081519/56649e1b5503460f94b0a0aa/html5/thumbnails/8.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 8
PDF Exploits
• Commonly exploits the JavaScript interpreter• Targets vulnerable functions such as getIcon() or
util.printf()• Reference an exploit stored in an obfuscated stream• Take advantage of the automatic action• Starts immediately via /AA flag inside of JavaScript
streams
![Page 9: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Animal Farm Protection From Client-side Attacks by Rendering Content With Python.](https://reader036.fdocuments.net/reader036/viewer/2022081519/56649e1b5503460f94b0a0aa/html5/thumbnails/9.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 9
PDF Exploits
%PDF-1.51 0 obj<</Ty#70#65/#43#61#74al#6fg/O#75t#6c#69ne#73 2 0 R/P#61#67#65#73 3 0R/O#70e#6e#41#63#74ion 5 0 R>>endobj2 0 obj<</#54ype/Out#6cin#65#73/#43ou#6e#74 0>>endobj3 0 obj<</#54y#70e/#50#61ge#73/#4b#69#64#73[4 0 R]/C#6fun#74 1>>endobj4 0 obj<</T#79p#65/P#61#67#65/#50#61rent 3 0 R/#4dediaBo#78[0 0 612792]>>endobj5 0 obj<</#54#79pe/#41c#74i#6fn/S/#4aav#61Scr#69#70#74/#4aS 6 0 R>>endobj6 0 obj<</L#65#6eg#74#686475/Fil#74#65#72[/FlateD#65cod#65/AS#43#49#49H#65#78#44ec#6f#64e]>>
%PDF-1.51 0 obj<</Type/#43#61#74al#6fg/O#75t#6c#69ne#73 2 0 R/P#61#67#65#73 3 0R/O#70e#6e#41#63#74ion 5 0 R>>endobj2 0 obj<</#54ype/Out#6cin#65#73/#43ou#6e#74 0>>endobj3 0 obj<</#54y#70e/#50#61ge#73/#4b#69#64#73[4 0 R]/C#6fun#74 1>>endobj4 0 obj<</T#79p#65/P#61#67#65/#50#61rent 3 0 R/#4dediaBo#78[0 0 612792]>>endobj5 0 obj<</#54#79pe/#41c#74i#6fn/S/#4aav#61Scr#69#70#74/#4aS 6 0 R>>endobj6 0 obj<</L#65#6eg#74#686475/Fil#74#65#72[/FlateD#65cod#65/AS#43#49#49H#65#78#44ec#6f#64e]>>
%PDF-1.51 0 obj<</Type/Catalog/Outlines 2 0 R/Pages 3 0 R/OpenAction 5 0 R>>endobj 2 0 obj<</#54ype/Out#6cin#65#73/#43ou#6e#74 0>>endobj3 0 obj<</#54y#70e/#50#61ge#73/#4b#69#64#73[4 0 R]/C#6fun#74 1>>endobj4 0 obj<</T#79p#65/P#61#67#65/#50#61rent 3 0 R/#4dediaBo#78[0 0 612792]>>endobj5 0 obj<</#54#79pe/#41c#74i#6fn/S/#4aav#61Scr#69#70#74/#4aS 6 0 R>>endobj6 0 obj<</L#65#6eg#74#686475/Fil#74#65#72[/FlateD#65cod#65/AS#43#49#49H#65#78#44ec#6f#64e]>>
%PDF-1.51 0 obj<</Type/Catalog/Outlines 2 0 R/Pages 3 0 R/OpenAction 5 0 R>>endobj2 0 obj<</Type/Outlines/Count 0>>endobj3 0 obj<</Type/Pages/Kids[4 0 R]/Count 1>>endobj4 0 obj<</Type/Page/Parent 3 0 R/MediaBox[0 0 612 792]>>endobj5 0 obj<</Type/Action/S/JavaScript/JS 6 0 R>>endobj6 0 obj<</Length 6475/Filter[/FlateDecode/ASCIIHexDecode]>>stream
%PDF-1.51 0 obj<</Type/Catalog/Outlines 2 0 R/Pages 3 0 R/OpenAction 5 0 R>>endobj2 0 obj<</Type/Outlines/Count 0>>endobj3 0 obj<</Type/Pages/Kids[4 0 R]/Count 1>>endobj4 0 obj<</Type/Page/Parent 3 0 R/MediaBox[0 0 612 792]>>endobj5 0 obj<</Type/Action/S/JavaScript/JS 6 0 R>>endobj6 0 obj<</Length 6475/Filter[/FlateDecode/ASCIIHexDecode]>>stream
%PDF-1.51 0 obj<</Type/Catalog/Outlines 2 0 R/Pages 3 0 R/OpenAction 5 0 R>>endobj2 0 obj<</Type/Outlines/Count 0>>endobj3 0 obj<</Type/Pages/Kids[4 0 R]/Count 1>>endobj4 0 obj<</Type/Page/Parent 3 0 R/MediaBox[0 0 612 792]>>endobj5 0 obj<</Type/Action/S/JavaScript/JS 6 0 R>>endobj6 0 obj<</Length 6475/Filter[/FlateDecode/ASCIIHexDecode]>>stream
%PDF-1.51 0 obj<</Type/Catalog/Outlines 2 0 R/Pages 3 0 R/OpenAction 5 0 R>>endobj2 0 obj<</Type/Outlines/Count 0>>endobj3 0 obj<</Type/Pages/Kids[4 0 R]/Count 1>>endobj4 0 obj<</Type/Page/Parent 3 0 R/MediaBox[0 0 612 792]>>endobj5 0 obj<</Type/Action/S/JavaScript/JS 6 0 R>>endobj6 0 obj<</Length 6475/Filter[/FlateDecode/ASCIIHexDecode]>>stream
import pdfid_PL as pdfidxmldoc, cleaned = pdfid.PDFiD('file.pdf', disarm=True, output_file='cleaned.pdf', raise_exceptions=True, return_cleaned=True)
%PDF-1.51 0 obj<</Type/#43#61#74al#6fg/O#75t#6c#69ne#73 2 0 R/P#61#67#65#73 3 0R/O#70e#6e#41#63#74ion 5 0 R>>endobj2 0 obj<</#54ype/Out#6cin#65#73/#43ou#6e#74 0>>endobj3 0 obj<</#54y#70e/#50#61ge#73/#4b#69#64#73[4 0 R]/C#6fun#74 1>>endobj4 0 obj<</T#79p#65/P#61#67#65/#50#61rent 3 0 R/#4dediaBo#78[0 0 612792]>>endobj5 0 obj<</#54#79pe/#41c#74i#6fn/S/#4aav#61Scr#69#70#74/#4aS 6 0 R>>endobj6 0 obj<</L#65#6eg#74#686475/Fil#74#65#72[/FlateD#65cod#65/AS#43#49#49H#65#78#44ec#6f#64e]>>
![Page 10: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Animal Farm Protection From Client-side Attacks by Rendering Content With Python.](https://reader036.fdocuments.net/reader036/viewer/2022081519/56649e1b5503460f94b0a0aa/html5/thumbnails/10.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 10
Office Exploits
• As simple as an embedded malicious exe or macro• As complex as shell code inside of an OLE structure• Are found in specific OLE structures
– DOC – ‘Macros\Vba’ OLE– XLS – ‘WorkBook’ OLE– PPT – ‘PowerPoint Document’ OLE
from classOLEScanner import *
oleScanner = pyOLEScanner(file)eole = oleScanner.embd_ole_scan()epe = oleScanner.embd_pe()shellc = oleScanner.shellcode_scanner()oleScanner.xor_bruteforcer()
from classOLEScanner import *
oleScanner = pyOLEScanner(file)eole = oleScanner.embd_ole_scan()epe = oleScanner.embd_pe()shellc = oleScanner.shellcode_scanner()oleScanner.xor_bruteforcer()
![Page 11: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Animal Farm Protection From Client-side Attacks by Rendering Content With Python.](https://reader036.fdocuments.net/reader036/viewer/2022081519/56649e1b5503460f94b0a0aa/html5/thumbnails/11.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 11
Internet Explorer Exploits
• Specific to the OS and browser because of protection mechanisms (DEP, ASLR, NX, UAC)
• Use user-agent strings to craft payload• Easy to test for auto-targeting of browsers
try:opener=urllib2.build_opener()opener.addheaders = [('User-agent',agent)]opener.open(addr)print "[*] Fetch Worked for: "+agent+"."return 0
except urllib2.HTTPError:print "[*] Fetch Failed for: "+agent+"."
try:opener=urllib2.build_opener()opener.addheaders = [('User-agent',agent)]opener.open(addr)print "[*] Fetch Worked for: "+agent+"."return 0
except urllib2.HTTPError:print "[*] Fetch Failed for: "+agent+"."
![Page 12: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Animal Farm Protection From Client-side Attacks by Rendering Content With Python.](https://reader036.fdocuments.net/reader036/viewer/2022081519/56649e1b5503460f94b0a0aa/html5/thumbnails/12.jpg)
Strange IE Exploits with Python
• Uses obfuscated JavaScript to evade signature detection• Use Python to extract JavaScript• Examine contents for malicious activity such as several
mallocs() that would indicate heap-spray
SANS Technology Institute - Candidate for Master of Science Degree 12
animal@animalFarm:~# python malloc.py9008,3072,4096,9239,7187,1047,1047,1047,21534,1047,1040,1040,1047,1536,8211,9239,9239,9239,9239,9239,9239,9239,9239,9239,9239,9239,9239,9239,9239,9239,9239, 9239,9239,9239,9239,9239,9239,9239,9239,9239,9239,1047,8211,1536,2048,
![Page 13: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Animal Farm Protection From Client-side Attacks by Rendering Content With Python.](https://reader036.fdocuments.net/reader036/viewer/2022081519/56649e1b5503460f94b0a0aa/html5/thumbnails/13.jpg)
Strangle IE Exploits with Python
• Strip dynamic content out of Adobe PDF documents• Remove embedded executables, macros, or shell code• Strip embedded macros out of Microsoft Word Documents• Strip JavaScript that allocates large, repeated blocks of
memory• Prevent pages that only offer content to only specific
browsers• Remove <script> tags dynamically• Replace suspected shell code with NOPs• Remove specific XSS attempts against clients• Check MD5 Sum of executables against known malware• Prevent files that contain file mismatch errors
SANS Technology Institute - Candidate for Master of Science Degree 13
![Page 14: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Animal Farm Protection From Client-side Attacks by Rendering Content With Python.](https://reader036.fdocuments.net/reader036/viewer/2022081519/56649e1b5503460f94b0a0aa/html5/thumbnails/14.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 14
Results
• 2010 Cyber Defense Exercise was the proving ground• Four days of users clicking on content built by the NSA
red team• Zero compromises to the end users
![Page 15: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Animal Farm Protection From Client-side Attacks by Rendering Content With Python.](https://reader036.fdocuments.net/reader036/viewer/2022081519/56649e1b5503460f94b0a0aa/html5/thumbnails/15.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 15
Summary
• Client side attacks are a dangerous threat vector• They can bypass several of our protection mechanisms• We examined specific techniques for rendering files
benign• Employing these techniques in the context of a proxy
works• Additional scripts can be added to mitigate newer
threats